Autorita Garante per la protezione del dati personal! 
Piazza di Monte Citorio n. 121 
00186 ROMA 

Network Transmission and Communications Department 
Reference: DCRT/GP/125145 
Date: 21 May 2018 


Dear Sirs 

Re: Response to request for information dated 11 May 2018 

I am writing on behalf of Facebook Ireland Limited (“Facebook Ireiand” or 
“Facebook”) regarding your request for information received on Friday, 11 May 2018 
(“the Request”). You initially set us a deadline of 10 days to respond - a period of 
time which in fact consists of only 6 working days - which is clearly insufficient given 
the number and nature of the questions asked. While we are grateful that you have 
since agreed to allow us an additional 30 days (i.e. to 10 June 2018) to reply to some 
of these questions, you have nonetheless insisted that we should respond to 
questions (e), (f), (g), and (p) by your original deadline. We will endeavour to provide 
what we can in this very short time window. 

As we have explained to your office previously, Facebook Ireland is the sole data 
controller for all ED users of the Facebook service, including Italian users. We are 
happy to address your questions, even in the very limited time you have given us, on 
a voluntary basis and on the understanding that we are subject to Irish data 
protection laws and the exclusive jurisdiction of the Irish Data Protection 
Commissioner (“IDPC”) on all data processing matters in the ED. We also reserve 
the right to supplement these answers at a later date. 

We set out our responses below, and will aim to provide responses to the remaining 
questions in the Request by the agreed deadline of 10 June 2018. 


Question (E): for what purpose was Ballot launched in Italy? 

Facebook's mission is to give people the power to build community and bring the 
world closer together. As part of this, we are committed to supporting an informed 
and civically engaged community on our platform, and to providing opportunities for 
people to access reliable information and to participate in public debate. 

Around the globe, people use Facebook to find, follow and connect with candidates 
and elected officials in their countries. And governments are using Facebook as a 
way of engaging with their citizens directly and personally. With this aim, we 
frequently work with and are consulted by national electoral bodies to help them 
achieve their parallel goals of increasing voter education, registration, and turnout. 

In advance of the 2018 general elections in Italy earlier this year, we collaborated 
extensively with the Ministry of the Interior (“the Ministry”), as well as obtaining input 
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from other organisations and candidates across the country, in order to introduce our 
“Ballot” product to Italian users. This is a tool designed to help people find out more 
about the election taking place, and information about the candidates they can vote 
for and their policies. The Ministry, along with the Presidency of the Council of 
Ministers, decided to work with Facebook as part of their wider communication 
campaign dedicated to the 2018 general elections, which included a video tutorial 
focused on educating Italian users about the new voting requirements that were 
being introduced, and helping them to better understand new Italian electoral laws. 
The Presidency of the Council of Minsters and Ministry worked with us on the 
specifics of the language we used in the Ballot product itself in the section related to 
the tutorial video, and on external communications regarding its promotion. 

Screenshots illustrating how Ballot appeared to Italian users are enclosed at Annex 
1. The tool appeared in the majority of Italian Facebook users' News Feed where it 
was shown once every two days and, until the day of the elections, remained 
accessible via a bookmark placed at the margin of users' News Feed. When Italian 
users accessed Ballot, they were given the option of entering their postal address in 
order to locate and access detailed information about candidates from their own 
constituency. Every candidate running for the Senate or the Chamber of Deputies 
was listed in the tool. It not only enabled users to discover the candidates in their 
constituency, but also to compare their positions on relevant issues as well as the 
policies of their parties and movements, to follow the candidates on Facebook, and 
to learn about upcoming campaign events. Additionally, in order to learn more about 
the voting requirements and better understand the new Italian electoral laws, people 
were able to view, directly from Ballot, the official video tutorial created by the 
Presidency of the Council of Ministers and the Ministry mentioned above. 

Information about the other civic tools we offer can be found here: 

https://politics.fb.com/civic-tools/ 


Question (F): What data is coiiected in reiation to users who engage with Baiiot 
in itaiy (for exampie, the tracking of the users' reading of the various profiies of 
candidates; the sharing among users of the fact that they had aiready voted; 
etc.) and how is it used? 

Information regarding the data we collect in relation to Facebook users and how it is 
used is explained in our Data Policy.^ 

With regard to the use of the Ballot product in Italy specifically, users were able to 
provide their postal address so that they could find out who the candidates were in 
their local area, and obtain detailed information about those candidates (as explained 
above). Users were given full control over the data they chose to provide in this way. 
They were able to skip entering it or, once they had learned about their local 
candidates, they could remove or edit it. 

If users clicked on candidates' profiles when using Ballot, we obtained basic logs of 
their actions. This information was solely used in order to give us the ability to 
generate aggregated engagement metrics, so we could understand how the product 
was being used and how it may be improved in future elections. 


^ https://www.facebook.com/policv.phi 
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Question (G): What information is provided to users about this coiiection of 
their data and its use? 

Our Data Policy explains to our users what information we collect and how we use it.^ 

Ballot also provided specific in-product disclosures to users when they were 
presented with the option of entering their address. These read as follows: 

Look up the candidates for your district using your address. Your address 
won't be dispiayed to others on Facebook, and you can aiways change or 
remove this information iater. Learn More 

If users clicked on the “Learn More” link they were then provided with the following 
information:^ 

Learn More FAQ 

Why does Facebook need address to show me information about 
eiections and government representatives? 

In order to show you accurate information about the elected officials for your 
constituency, Facebook may ask you to provide your address. This address 
may also be used in future Facebook features, including election results and 
other election and government features on Facebook. 

The address you provide for government and election features on Facebook 
won't be displayed to others on Facebook. 

You can remove this address information at any time by clicking on Edit 
Location or Remove Address in a government or elections feature and then 
removing the address shown. 


Question (P): Does Facebook coiiect and process personai data of individuais 
who are not Facebook users (so named 'shadow profiies')? if so: (a) what data 
is processed, (b) what processing activities are carried out on said data, (c) 
how the reievant information has been provided to the data subjects and how 
their consent has been coiiected; (d) expiain the specificity of said profiies and 
their abiiity to uniqueiy identify a naturai persons, and whether said shadow 
profiies are used to track data subjects' activities on the internet. 

As an initial point, we wish to make clear that we do not build “shadow profiles” for 
non-Facebook users. 

From your reference to “tracking activities on the internet”, we understand your 
question to relate to non-users' data we receive from third party websites and apps.'^ 
To understand what information we collect about non-users in that context and why 
we collect it, it is important to understand the tools that Facebook makes available to 


^ https://www.facebook.com/policv.php 

^ Also available here: https://www.facebook.com/help/299618223782909 

* As opposed to, for example, non-users' data that other Facebook users may choose to post on Facebook; or non¬ 
users' data that advertisers using our self-serve advertising tools may choose to upload 
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third parties, such as website owners and publishers, which they can integrate into 
their services. These technologies have a range of purposes. For example: 

• Facebook social plugins, such as the Like button and Share button, enrich 
users' experience of Facebook by allowing them to see what their Facebook 
friends have liked, shared, or commented on across the internet. 

• Facebook also offers the Facebook Pixel, which allows third parties to 
understand how people are engaging with their content and better reach 
people who use or might be interested in their products and services. 

In this context, we receive information when a site or app that uses these Facebook 
technologies is visited. Specifically, our servers log:^ 

• standard browser or app records of the fact that a particular device or user 
visited the website or app (this connection to Facebook's servers occurs 
automatically when a person visits a website or app that contains our 
technologies, such as a Like button, and is an inherent function of how the 
internet is designed); and 

• any additional information the publisher of the app or website chooses to 
share with Facebook about the person's activities on that site (such as the 
fact that a purchase was made on the site). 

In order for third parties to use our Facebook technologies in their websites or apps, 
we have made it a contractual requirement that they do so in accordance with 
applicable laws. This includes a requirement that, where necessary, they obtain valid 
consent or have another valid legal basis to share information with Facebook from 
their service; and also obtain consent to use of our cookies where required. 

Many companies offer these types of services and, like Facebook, they also get 
information from the apps and sites that use them. Twitter, Pinterest and Linkedin all 
have similar Like and Share buttons to help people share things on their services. 
Google has a popular analytics service. These companies - and many others - also 
offer advertising services. In fact, most websites and apps send the same information 
to multiple companies each time you visit them. 

To answer your specific question, in the context of this data we receive from third 
party sites or apps, there are two situations where we may obtain data relating to 
non-Facebook users: 

• when a person who is not a registered user of Facebook visits a third party 
site or app that uses our services, we receive logs of this visit, as well as any 
additional information the publisher wishes to share with us, as explained 
above. Sharing of log information in this way is an inherent feature of how the 
internet works and occurs automatically by virtue of the fact that the person's 
device contacts Facebook's servers in order for the Facebook buttons and 
other features on those sites and apps to work. As explained above, the third 
party site or app is contractually required to obtain valid consent or have 
another valid legal basis - e.g. legitimate interests - to share this log 
information with Facebook from their service, as well as any additional 


^ See https://www.facebook.com/policies/cookies for more detail. 
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information about activity on their site. They are also contractually required to 
obtain consent to use of our cookies, where required. 

• when a person who is not a registered user of Facebook interacts directly 
with Facebook (e.g., visits our site), we obtain similar logs regarding this visit. 
We comply with applicable EU laws by obtaining consent from European 
users before setting any cookies that are not strictly necessary by displaying 
a cookie banner to every browser visiting Facebook for the first time to notify 
users about our cookie use as follows: “To help personalise content, tailor 
and measure ads and provide a safer experience, we use cookies. By clicking 
on or navigating the site, you agree to allow us to collect information on and 
off Facebook through cookies. Learn more, including about available 
controls: Cookie Policy.” In addition to consent, we also have other valid 
legal bases for the processing of non-users' data in this way, including 
legitimate interests. 

The information received in this manner allows Facebook to identify a specific 
browser. However, when the person visiting our website, or the third party website or 
app, is not a Facebook user, we do not receive any information that would allow us to 
identify the individual that is in fact using that browser. Indeed, as far as we know, 
there may not be one such individual, as it could be the case that a number of 
individuals are using that same browser. 

Where Facebook receives such information relating to non-users in a capacity as a 
data controller, our processing of that data complies with all applicable laws. Our 
Data Policy® explains in detail what we do with the information we receive, and 
makes clear that we may collect data from people away from Facebook who don't 
have a Facebook account. Our Cookies Policy ^ also provides more detailed 
information about how and why we use cookies and the controls that people have. 

Where we are acting as a data controller, once we conclude that the log data we 
have received does not relate to a Facebook user's browser, we then primarily use 
that data for the following purposes: 

• security and business integrity purposes. For example, utilising privacy 
protective methodology, Facebook uses aggregated data relating to non¬ 
users' browsers to obtain signals regarding their internet usage. This helps us 
to determine if a browser is likely being used by a regular internet user, or a 
possible bad actor such as an automated bot attempting to create a fake 
account or scrape public content from our platform. 

• to send the non-user an ad about Facebook. When a non-user visits a third 
party site or app that is part of our Audience Network,® after we conclude the 
browser they are using does not relate to a Facebook user, we do not then 
seek to show targeted ads from our advertisers or otherwise personalise 
content for those non-users in any way. However we may take the 
opportunity to show an ad encouraging the user to sign up for Facebook. 

We also use some of this data on browsers relating to non-users in order to provide 
measurement and analytics services. However we generally do so as a data 


® https://www.facebook.com/policv.php 
^ https://www.facebook.com/policies/cookies/ 

^ https://www.facebook.com/business/help/788333711222886 
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processor, e.g. to provide third parties using our services with aggregated and 
anonymised information about the numbers of people that have visited their site and 
their activity. 

It is important to note that we are in the process of rolling out updated terms, an 
updated data policy and an updated cookies policy for the purposes of the incoming 
GDPR. These policies provide people, including in Italy, with even greater 
transparency around the data we collect, how we use it, and our legal bases for 
processing that data. We have been working closeiy with the ID PC in relation to 
these updates, given they will be our Lead Supervisory Authority under the GDPR. 
For the avoidance of doubt, the answers above refer to our existing terms, rather 
than the incoming terms. 

We have prepared the answer above in the very limited lime that we have been 
permitted to respond to these questions. If you would like us to eiaborate on anything 
we have said or provide any additional information, we would be happy to do so. 

Please find enclosed a courtesy Italian translation of this letter. 


Yours faithfully 




Head of Data Protection, Facebook Ireland Limited 


Annex 1: Screenshots of the Ballot product 
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